TEHTRIS DECEPTIVE RESPONSE

TEHTRIS DECEPTIVE RESPONSE and its honeypots simulate fake machines and services in order to fool intruders.

Deceptive Response

TEHTRIS Deceptive Response (honeypots) provides an effective alarm system in real-time, ahead of intrusions, adding a complementary view to the security of your systems and infrastructures. By adding false resources to your network, these sensors lure attackers and provide you with reports and event dashboards.

Unlike products that have to shuffle through billions of data with the risk of generating false alarms, TEHTRIS Deceptive Response will only be solicited when it is being interacted with. No one is usually supposed to play with or attack these fake machines that are not officially present on the network for production purposes.

When a hacker targets a network secured by TEHTRIS Deceptive Response, he may fall on the fake machines (decoys), triggering an alarm. The hacker does not have time to make mistakes, as it will complicate his internal exploration sessions and his lateral movements.

Latest Updates

WHY tehtris DECEPTIVE RESPONSE?

NETWORK SCALABLE

At the network level, TEHTRIS Deceptive Response can cover all VLANs in a network zone without the need to manually deploy a fake device in each VLAN.

SIMPLICITY

TEHTRIS Deceptive Response does not modify systems in production, simply adding fake machines, without the risk of disrupting existing elements.

INCREASED POWER

TEHTRIS Deceptive Response includes a fleet of honeypots natively integrated to the TEHTRIS XDR Platform with SOAR, CTI, Hunting, Compliance, Incident Management, etc.

RISK-FREE INTEGRATION

TEHTRIS Deceptive Response does not modify systems in production. It simply adds fake machines, without disrupting existing elements.

SECURITY

TEHTRIS Deceptive Response runs on appliances using TEHTRIX distribution, that are fully disk encrypted, with advanced protection mechanisms such as RBAC in the kernel and 0-day protection.

LEGITIMACY

The co-founder of TEHTRIS has been creating honeypots for over 20 years. He has been invited by armies and intelligence services around the world, to discuss his studies related to counterattacks or dynamic and proportional incident response systems.

TEHTRIS SOAR

Security Orchestration, Automation and Response

When it comes to  cybersecurity, the ability to orchestrate a quick and efficient response to cyber events is a fundamental issue. One of the best ways to achieve this is to use particularly powerful automation and artificial intelligence. This is what TEHTRIS offers you with its SOAR integrated to the TEHTRIS XDR Platform.

Discover our way to create hyper automation!

COMPLIANCE WITH MITRE ATT&CK

MITRE ATT&CK is a knowledge base with a modeling of the behavior of a cyberattacker, illustrating all phases of a cyberattack’s life cycle in relation to targeted platforms: Windows, macOS, Linux, mobile devices and so on.

Find out how TEHTRIS is compliant with MITRE ATT&CK

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

SOME figures

99 day

to deploy
TEHTRIS DECEPTIVE RESPONSE

1 million

important alerts
every month

999 billion

interactions monitored worldwide annually by TEHTRIS honeypots

FAQ

TEHTRIS Deceptive Response covers all network layers from Level 3 to Level 7, providing the ability for attackers to interact remotely, using fake machines. We thus offer network level (IP+ICMP, TCP, UDP) and application level fake layers to simulate SSH access, Web, Windows services and so on.

TEHTRIS Deceptive Response is very simple to deploy, by setting up each virtual appliance dedicated to your business, at the heart of your infrastructure. A simple boot of our installation ISO, and 4 basic answers later, you get your own honeypots that are installed on your network, with the knowledge that the whole service is remotely operated by TEHTRIS in SaaS mode.

A computer decoy is a system capable of making an attacker believe that he is interacting with a real machine, a real service, a real file, etc., in your company. There are many decoys out there, but some are not very effective, because they have become familiar to hackers.

By deploying TEHTRIS Deceptive Response, you create value in many different ways. Hackers will waste time on decoys instead of attacking your real machines giving you the opportunity to be better prepared during these crises. Furthermore, they will be detected in the early stages of an attack while they are still mapping out your networks. Finally, you will have the opportunity to understand their operational methodologies in order to better protect your real networks.

We offer several levels of interaction while maximizing our goal of saving time and gathering information from attackers. SOC teams are already struggling to try to follow the logs of real devices. So, without falling into the issues related to high interaction that would cost too much time for humans, far from the real production, we decided to create a tactical system, very field-oriented, combining weak interactions or beyond, to be informed during the upstream phase of an attack.

We think it’s best to deploy decoys inside the network, in very sensitive areas for example, such as your data centers and critical factories. We have customers who have deployed TEHTRIS Deceptive Response on network areas where there is virtually no interaction, such as a fairly closed DMZ. So, the day a hacker enters an exposed website, he will quickly be detected by starting an in-depth exploration phase to escape that DMZ, by visiting neighboring machines. We have customers who have deployed TEHTRIS Deceptive Response on networks that are completely open to internal users, because they wanted to gain certainty about specific at-risk staff (temporary subcontractors particularly interested in crafting discovery packets). Finally, we have customers who have managed to detect attacks via external Wi-Fi for guests, because TEHTRIS Deceptive Response was solicited in a very particular way by visitors pretending to be friendly, who had no idea that an anti-spying honeypot was waiting for them on these floors.

We see every single network packet that comes into the honeypots and we have the ability to quickly understand if it is a false positive or not. Indeed, many people believe in the myth of honeypots, but the reality is that these tools also generate a lot of alerts and we need to understand what is normal and what is not. We therefore monitor several services in particular, such as SSH, Windows, and the Web.

All actions are fed back into the TEHTRIS XDR Platform to which the honeypots are connected. This allows you to benefit from all the other security bricks, such as hunting, CTI, audits, etc. For example, a SOC analyst can quickly see an aggressive IP, doing an “Nmap” scan on a honeypot, and check if the internal IP address is known or go investigate with TEHTRIS EDR on it.

We have all TCP/IP interactions that are notified, as well as high interactions with specific decoys like SSH, Web or even Windows parts. For some interactions, TEHTRIS Deceptive Response users particularly appreciate being able to watch the hacker on video. For SSH, you can follow all typed commands step by step to understand the level, motivations, goals, and tools used. This gives us a rather original and unique way to track hackers.

As TEHTRIS Deceptive Response is deployed on a sensitive area, we listen to the available local flows, beyond the Unicast flows that we receive, and we build a vision of the neighboring machines in CMDB mode. This is not the main function of TEHTRIS Deceptive Response, but it is very useful for us to know where a laptop was connected for the first time, in which factory, on which VLAN, and above all for what purpose.